October 24th, 2020
New interim releases for Ubuntu and Node.js, and a practical Linux shell for iOS. A stealth WordPress plugin update and a takedown notice for youtube-dl raise eyebrows, 1Password lands on Linux, Debian boosts PeerTube's finances, and more.
Show Transcript and Links
Canonical has released version 20.10 of Ubuntu. As an interim release, the update will only be supported through July next year, and is really aimed at enthusiasts, and anybody interested to see what direction the project is taking. The release ships with version 5.8 of the Linux kernel, and brings GNOME 3.38 to its desktop users. While all of Ubuntu's various flavours have also pushed out updates of their own, perhaps the most eye-catching change this release cycle is the addition of official desktop support for Ubuntu proper on the Raspberry Pi platform. And while this support only extends as far as the four gigabyte or better version of the latest Pi and its companion Compute Module, the distribution remains certified and available on previous Pi models as well — although they don't really have the horsepower to run a full GNOME desktop, and are more suited to server-based tasks. And that's the use-case that Canonical has again looked to draw attention to, by blogging about how tools such as MicroK8s can be installed on the latest Pi platform — enabling users to easily create and deploy 'micro clouds' of compute infrastructure at the edge, and among IoT devices.
• Ubuntu 20.10 (Groovy Gorilla) released
• Groovy Gorilla Release Notes
• Ubuntu 20.10 Flavours Released, This is What’s (Mostly) New
• [Video] Ubuntu Desktop on Raspberry Pi
• Ubuntu 20.10 on Raspberry Pi delivers the full Linux desktop and micro clouds
• Ubuntu clouds on the Raspberry Pi
Version 15 of Node.js has been released. And like Ubuntu, this is an interim release, with a much shorter support lifetime than the project's LTS versions. While the update includes experimental support for the QUIC network protocol and brings a handful of other changes, it's likely that the biggest improvement that users will notice is the introduction of version 7 of the Node package manager — which can now automate the installation process for peer dependencies, and offers support for managing multiple packages within a single top-level root package.
• Node.js v15.0.0 is here!
• Presenting v7.0.0 of the npm CLI
iSH, which had been available in TestFlight beta for almost two years, has now gained a listing in the full Apple Store. The application provides a shell environment for users of iOS devices, and is based on the minimal Alpine Linux distribution — which is frequently used for container applications, due to its small size and fast boot time. While the developer had to remove the Alpine package manager in order to be granted access to the full Apple Store, it appears to be trivially easy to reinstall it, by following the instructions linked in today's shownotes.
• Installing apk on the App Store Version
A major vulnerability in a popular WordPress plugin has raised some eyebrows — not just due to its severity, but also because of how WordPress helped deal with the problem. Recent research found that the Loginizer plugin, which helps protect over a million WordPress sites from brute-force attacks, was failing to properly sanitize its input, and allowing arbitrary SQL command injection into vulnerable sites. And while the plugin was rapidly patched to fix the issue, not everybody keeps their sites completely up to date — so WordPress decided to force install the update to anyone using the plugin. This caused some confusion and surprise for WordPress users who hadn't been aware that the platform allows for arbitrary software installation — and has prompted some to question how many times WordPress has taken similar steps in the past, without any local administrator oversight.
• WordPress deploys forced security update for dangerous bug in popular plugin
While the actions of WordPress caused some limited concern in the community, yesterday saw a furore erupt when the news broke that GitHub had responded to a takedown notice from the Recording Industry Association of America, and disabled the youtube-dl repository, and several forks of the same code. The notice alleges that the popular command line downloader was designed and marketed as a tool to circumvent the technical protections of streaming services such as YouTube, and that it facilitates the reproduction of copyrighted works. Although GitHub had little option but to promptly comply with the notice in order to protect itself from potential liability, that didn't stop many on social media from immediately denouncing the company's response. And to confuse the picture further, while takedown notices normally apply to directly infringing content, in this case the RIAA is arguing that youtube-dl is an enabling technology for piracy, rather than being an infringement of copyright in and of itself. This distinction has further muddied the waters, and right now there doesn't appear to be a consensus among legal experts online as to the validity of the takedown notice. Either way, the developers of youtube-dl have a right of counterclaim, which if successful would see their repo restored — and I'll be watching events unfold, and report back as they do.
• Notice served on GitHub
• The RIAA is coming for the YouTube downloaders
• Reddit: youtube-dl github repo taken down due to DMCA takedown notice from the RIAA
• Hacker News: YouTube-dl has received a DMCA takedown from RIAA
1Password has launched a beta version of its client for Linux. While not open source, the password manager is still very popular in the community, and the Linux version is likely to receive a warm welcome from those already using it on other desktop or mobile operating systems. Built using React against a Rust back-end, the new client attempts to integrate well with the Linux desktop — and will even automatically blend in with the user's choice of dark or light mode GTK theme. 1Password has set up signed package repositories for downloading the software, and is also making it available through the Snap Store and as an AppImage. And in a final piece of outreach that is likely to win it even more adopters, the company is offering its normally paid-for service completely free of charge to open source project teams that request it. But if you'd rather keep all of your passwords offline and totally under your own control, then an application like KeePassXC might be a better choice. And this app received a maintenance update earlier in the week, which, along with a number of bug fixes and UI improvements, added an 'always on top' mode, and better import and export functionality.
• 1Password for Linux beta is now open
• KeePassXC 2.6.2 released
On the last show I mentioned that the latest release of Firefox had just landed. While it didn't seem a particularly noteworthy update at the time, the release has apparently been causing a variety of print, unwanted website logout, and other issues for some users. Mozilla has now throttled the rollout of Firefox 82, so that it can attempt to address the bugs that have been reported.
• Firefox/Channels/Meetings/2020-10-22: Schedule Update
The Debian project has donated ten thousand euros, or roughly twelve thousand dollars, to help the French nonprofit Framasoft fund further development of its federated PeerTube video platform. PeerTube has been slowly catching up with the functionality offered by competitors such as YouTube in recent years, and back in May unveiled a roadmap for its future development that it hoped to follow, if finances allowed. The donation from Debian has helped carry PeerTube's fundraiser over the finish line, and will allow the project to work on bringing near real-time peer-to-peer streaming to its open source video platform.
• Debian donation for Peertube development
• [Old] Our plans for PeerTube v3 : progressive fundraising, live streaming coming next fall